Unconditionally Secure Quantum Bit 
Commitment is Simply Possible 
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Mayers, Lo and Chau proved unconditionally se- 
Zj . cure quantum bit commitment is impossible. It is 

*5a \ shown that their proof is valid only for a particu- 

k^y lar model of quantum bit commitment encoding, in 

general it does not hold good. A different model 
of unconditionally secure quantum bit commitment 
■ - both entanglement and disentanglement-based - 

J> . is presented. Even cheating can be legally proved 

with some legal evidences. Unconditionally secure 
' quantum bit commitment can be established on the 

C^- ■ top of unconditionally secure quantum coin tossing, 

which is also claimed to be two-way impossible. 
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The task of quantum key distribution (QKD) is to provide iden- 
tical sequence of random bits for two distant parties - sender and 
receiver. Its security against eavesdropping is guaranteed by quan- 
tum mechanics. But the question is: Will they always get identical 
sequence ? From conventional quantum key distribution (QKD) 
protocols [1,2], they cannot have identical sequence if one of them 
becomes dishonest. It seems to be a non-issue. If they want to com- 
municate secretly there is no reason of being dishonest. One may 
even argue that secure communication between mistrusted parties 
is itself meaningless and therefore, honesty is the best policy in 
secure communication. But, in conventional QKD protocols, dis- 
honesty is allowed by the protocol itself. This is a new thing. 

To elucidate the issue, let us recall the BB-84 QKD protocol [1] . 
Like all other conventional QKD protocols it also works on two-step 
process. In the first step, sender transmits a sequence of 0°, 90°, 
45°and 135° polarized single photons. The 0° and 45° single pho- 
tons represent bit and 90°and 135° single photons represent bit 
1. Receiver could recover the bit values if sender gives the required 
information (basis of measurements) regarding the bit values. In 
the second step, sender reveals the required information to receiver. 
The problem is, sender can flip the bit value by changing the re- 
quired information although he committed the bit value in the first 
step. This is cheating. 

This particular type of cheating can be described as 180° shift 
from commitment. This shift may be accepted if receiver does not 
get ultimately cheated. Bennett and Brassard were aware about 
the problem and they observed that their BB-84 protocol is totally 
insecure against cheating if sender uses suitable entangled states 
instead of the said BB-84 states. To overcome this difficulty, the 
idea of bit commitment surfaced in the early 90 's. It was antic- 
ipated that if quantum bit commitment (QBC) is established on 
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the top of QKD scheme then cheating could be detected. As if, 
in cryptographic communication quantum mechanics could resist a 
committed partner to be an imposter. If secure QBC protocol is 
found, it was thought that it could be the basis of other impor- 
tant cryptographic schemes such as secure quantum coin tossing, 
secure quantum oblivious transfer, secure two-party quantum com- 
putation. So, the security issue of quantum bit commitment has 
immense importance. 

In 1995, on the basis of conventional model quantum cryptog- 
raphy, a QBC protocol [3], known as BCJL scheme, was proposed 
and claimed to be provably secure against all types of cheating. 
Mayers [4] followed by Lo and Chau proved [5] it incorrect. But 
message of their work is that there cannot have any secure bit com- 
mitment protocol, although they worked on a particular model of 
quantum bit commitment encoding. Recently Kent [6] has invaded 
this belief. He showed that secure classical bit commitment proto- 
col exists. As the security of his protocol is based on special theory 
of relativity, it is still widely believed that their proof is valid for 
all unknown quantum bit commitment protocols [7] , which will not 
use relativity to ensure security against cheating. If it be so, in 
cryptography relativity wins over quantum mechanics. We shall 
see, that the belief - quantum cryptography is too weak to realize 
bit commitment encoding- is misplaced. 

We shall first discuss why their proof cannot be considered as 
a generalized result. Recall the reasoning of complete cheating. 
Complete cheating is possible when two density matrices associated 
with bit and 1 are same i.e Po — Pi- Because of this equivalence of 
two density matrices, using entanglement, sender, after transmit- 
ting the state |0), corresponding to bit 0, can alone apply unitary 
transformation U to convert |0) to |1), corresponding to bit 1 and 
vice versa, keeping the receiver in dark about this transformation. 
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But it does not necessarily mean whenever p = pi cheating will be 
possible and successful. 

Consider the following simple quantum coding technique [8-9]. 

Bit — ► {i/j, 0, V, 0, tp, i/>, 0, 0, ik, 0, } 

Bit 1 ► {(f), 0, ip, ijj, 0, V, ^, 0, 0, } • 

These are two reasonably large sequences of two nonorthogonal 
quantum states ip and ( they are strictly not orthogonal because 
it will be classical encoding with quantum states ). Suppose these 
are two sequences of 0° and 45° (1:1) polarized single photons. So 
Po — p\. Information regarding the above two sequences is shared 
between sender and receiver. Here cheating is not possible as re- 
ceiver can alone recover the bit value from the information they 
initially shared. The simple method of recovery of bit values can 
be like this: Bob uses analyzer at 0° and 45° orientations for his 
measurements and wants to recover the bit values from exactly one 
half of the transmitted sequences without missing to detect a single 
state. In the first 50% events Bob measures according to the first 
(given above) sequence and in the last 50% events he measures ac- 
cording to the second sequence properly using his analyzers. There- 
fore, always he could statistically and deterministically recover the 
exact half of any of the above two sequences. If exact first half of the 
first sequence is recovered then bit is deterministically 0. Similarly 
if exact last half of the second sequence is recovered then the bit is 
deterministically 1. But this is a cheating-free single step QKD pro- 
tocol not the two-step quantum bit commitment protocol. Similarly 
our single step entanglement- based QKD protocol [9] can be con- 
sidered as a cheating-free protocol. It perhaps implies that cheating 
was possible in conventional QBC as because they did not share in- 
formation of the two density matrices not because of the equivalence 
of density matrices though their encoding does not allow to do so. 
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So sharing of information can be a precondition to have a secure 
QBC. But this precondition is not enough to realize two-step bit 
commitment encoding. Next we shall see, single step cheating-free 
QKD protocol can be simply modified into two-step protocol to 
realize unconditionally secure quantum bit commitment. First we 
shall present a two-step entanglement-based QBC protocol. 

Suppose Alice has n pairs of EPR particles. Taking one particle 
of each pair, she arranges them in a particular fashion and taking 
the partner particles she arranges them in another way with the 
help of quantum memory. Suppose the two arrangements are : 

5 = {A, B, C, D, E, F, G, H, }, 

so = {6, /, g, a, e, h, d, c, } 

Here capital and its small letter stand for an entangled pair. 
That is, particle "A" and "a" form an EPR pair and particle "B" 
and "b" form another EPR pair and so on. These two arrangements 
represent bit 0. To represent bit 1, similarly she can arrange them 
in another two different ways: 

51 = {M, N , O, P, Q, R, S, T, }, 

si = {s, o, n, p, t, q, m, r, }. 

To avoid confusion we have used two sets of capital and small 
letters to denote entangled pairs. The entangled state can be rep- 
resented as, 

My = i/V2(\ r>ii i) j - 1 T>,) 

where i and j denote the position of the EPR particles in S /i and 
So/i respectively. The above information about the two arrange- 
ments is secretly shared between them. 

Bit commitment encoding can be executed in two-step process. 
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In the first step, Alice commits bit by sending So and in the 
second step, she reveals the required information just by sending 
s • Similarly she can commit bit 1 by sending Si in the 1st step 
and reveals its value by sending si in the second step. Instead of 
directly sending the 2nd sequence, the results of measurements on 
2nd sequence in a pre-committed basis can also be revealed. From 
the first incoming sequence S or Si, Bob cannot recover the bit 
values. But he can alone recover Alice's committed bit when he 
will get the partner sequence so or si. He can measure the spin 
in a fixed direction. Measurements on the two sequences of EPR 
particles will produce correlated data. Bob's task is to recover the 
bit values from these data and initially shared data. If dishonest 
Alice sends si after S or s after Si, then Bob could not identify 
any of the bit values because EPR correlation will be lost in the 
case of cheating. Thus cheating will be exposed. 

The protocol, described above, is an entanglement-based QBC 
protocol. Using two sequences of deliberately prepared superposi- 
tion states and following the same operational procedure disentan- 
glement based QBC protocol can be given. Suppose the superposi- 
tion states are: 



The sequence (Q ) of the states \A)i and \B)i represent bit value 
and the sequence (Qi) of states |C)j and \D)i represents bit value 
1. The preparation procedure of these superposition states has been 
discussed in ref 8. To commit the bit value, say 0, Alice in the 1st 
step, splitting each state | ) of the shared sequence (Qo) of states 
sends the sequence (So) of the truncated state | ) r which does not 



\A)i 
\B)i 
\C)i 
\D)i 



i/V2(\ <->)s + 1 <->>•) 

i/v^l <->5 + lt>5). 
i/V2(\ <->>! + 1,/>; 
i/V2(|<->>; + |\>;. 
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contain the bit value. The path s is the bit-carrying path. Alice 
keeps the remaining sequence (s ) of states | ) s in quantum mem- 
ory (using delay). In the second step, Alice transmits the sequence 
(so) of the states | ) s to Bob. Note that, positions of the complete 
state and truncated states in their respective sequences are same. 
In that sense Qo = So = so and Qi — S± — s\, where Si and s\ 
are wave fuction-splitted sequences representing the bit 1. Bob can 
alone recover the bit values from the second sequence because it 
carries the bit values. The simple method of recovery of bit value 
from the second sequence is discussed below. 

Suppose in the sequence Qo the \A)iS are at odd positions and 
\B)iS are at even positions but |C)»s and \D)jS have no such regu- 
larity in Qi. Now Bob uses 90° analyzer to measure on the second 
sequence of states | ) s . He gets a sequence of "yes" and "no" re- 
sults. If the results "yes" come only at even positions, then the bit 
is 0. If Alice transmits si after transmitting So or s after Si Bob 
will certainly be aware of such improper execution of the protocol. 
Bob will have to go through the dual measurements on both the se- 
quences(need not be at the same time), if he wants to know whether 
Alice is cheating or not. The probability of dual occurrence of re- 
sult "yes" is given in table 1, considering Alice transmits sq after 
Si or si after So and Bob uses both analyzers at 0°. One cannot 
get double "yes" from a single particle. It implies that not only 
Bob but also any third party, who does not know anything about 
their shared information, could spot the cheating. It implies Bob 
could prove before the court that Alice tried to cheat him provided 
some legal evidences help him. This is also true for entanglement- 
based QBC, but Bob has to reveal their shared secret before the 
court. Of course before going to the court Bob has to be certain 
that there is no meaningful correlation in the data sets since Alice 
can transmit her two private sequences at random to defame Bob 
before the court by disapproving the Bob's revealed data as their 
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shared data. This is an interesting thing - we are tempted to say 
that honesty is the only policy in quantum communication. 

The above protocol reveals another interesting thing: due to su- 
perposition principle it is possible to commit the bit value without 
sending the actual bit-carrying part of the wave function. The situ- 
ation can be thought as a case of commitment prior to commitment. 
On the other hand, in our entanglement-based QBC protocol both 
first and second sequences are required to recover the bit value. 
So the significant difference between our entanglement-based and 
disentanglement-based QBC is that cheating is possible (although 
it will be unsuccessful) in disentanglement-based QBC but cheating 
is totally impossible in entanglement-based QBC. 

In the above two schemes, bit commitment encoding is two-step 
process. The QBC can be realized through multi-step procedure. 
Alice can commit through many steps and reveals the commitment 
after that (it can also be thought as a single-step commitment fol- 
lowed by multi-step disclosure ). Yet the commitment is secure. 
The encoding is same except we need higher dimensional Hilbert 
space (for fixed n ) to execute multi-step QBC. As for example, they 
can take GHZ state W)ghz = l/v^(| ]g]h]z) + | la in |z))[H]- 
The n copies of three entangled particles ( denoted by G, H, and 
Z) can be arranged in three different ways to represent bit 0. The 
arrangements are denoted by Go, H and Z . Similarly Alice can 
arrange them in another three different ways, denoted by G±, Hi 
and Z 1 , to represent bit 1. Alice in the first step commits bit 
by sending Gq and reveals the commitment by sending H and Z 
in the next two steps. Similarly she can commit the bit 1. If they 
want to have a multi-step disentanglement-based QBC scheme they 
can use a linear chain of superposition state of our earlier proto- 
col. For three-step disentanglement-based QBC, the superposition 
states are (see ref 8): 
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\A)i = l/y/3{\ <->)5 + | <->)* + | <->)■) 

\B)t = l/y/3(\ ~)' + I <->)* + I I>3) 

|C7>« = 1/V3(| <->); + !<->)* + !,/)« 

= 1/^3(1 <->); + 1 <->)* + . 

Again sequence (Q ) of states \A)i and represent bit and 
sequence (Qi) of states \C)i and represent bit 1. Alice commits 
the bit value by sending the sequence of states | and reveals the 
commitment by sending the sequence of states | )* first and then 
by sending the actual bit- value-carrying sequence of states | ) s . 

To prove unconditional security the effect of noise is excluded. 
We shall consider it. Due to noise some of the Bob's measured data 
will be corrupted. Manipulating noise (bringing noise level down) 
Alice can execute the protocol dishonestly up to the noise level. 
Nevertheless Bob can statistically faithfully recover the bit value in 
presence of noise. The main advantage of initial sharing of informa- 
tion of bit preparation is that we will not have to be worried about 
any unknown attacks. Note that, sharing means pre-commitment 
and this can give security against cheating even for unknown at- 
tacks. The BCJL scheme [3] failed because presently known attack 
was not clearly known to the authors. 

In our alternative QBC protocols, the probability of the success 
in cheating is always zero. Security does not depend on time, space, 
technology, noise, and unknown attacks. Therefore, protocols can 
be safely claimed as absolutely secure protocols against cheating. 
It can be mentioned that security is not coming from quantum me- 
chanics; it only allows us to perform quantum bit commitment. It 
is interesting to note, conventional QBC protocol totally fails be- 
cause of entanglement. The same entanglement provides us secure 
QBC, although bit commitment is not the problem of alternative 
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QKD. Regarding bit commitment issue, entanglement is not our 
enemy rather our friend indeed. 

Coin tossing is another important cryptographic primitive: two 
distant mistrusted parties want to generate faithful random bits 
to authenticate the channel either by classical coin tossing or by 
quantum coin tossing (QCT). We can think of two types of coin 
tossing -ideal and nonideal. It should be mentioned that if one of 
them does not want to simulate the real coin tossing there is no 
physical law which can compel him/her to do so. The question 
is, how far the can the generated bits be considered secure against 
cheating ? Very simple unconditionally secure classical coin toss- 
ing protocol exists [13] Lo and Chau claimed that [12] secure ideal 
QCT is impossible. Their proof is based on the assumptions: ii) 
shared entanglement cannot be proven genuine ii) entanglement is 
a necessary condition for secure ideal QCT. We have shown how to 
check [9] the authenticity of the shared entangled states. Therefore, 
simulation of ideal QCT is simply possible. It is well known that 
QCT can be based on QBC protocol. So, we are getting second 
QCT from our QBC. In addition to that, our QKD protocols are 
basically QCT protocols. Alternative QCT protocols can be ideal 
or non-ideal QCT protocols. That is, every bits are secure. These 
three types of QCT are unconditionally secure against cheating . 
Yet they cannot be used for authentication until they are proved 
absolutely secure in presence of noise. 

The power of different cryptographic primitives is itself a sub- 
ject of interest. Recently Kent has claimed that QCT cannot be 
built on the top of QBC and therefore it is weaker than QBC. We 
have already seen that our QKD can be thought as QCT on which 
we can implement our QBC. So Kent's proof cannot encompass our 
model. We have seen that all QKD/QCT protocols are not QBC 
protocol. Is the reverse true ? The reverse will not be true if there 
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is regularity in each of the two operating sequences. This type of 
QBC cannot be used as secure QCT for authentication. We con- 
clude: 1. unconditionally secure QBC can be implement on the top 
of unconditionally secure QCT. 2. unconditionally secure QCT can 
be implement on the top of unconditionally secure QBC. 3. Every 
QBC is not QCT scheme. 4. Every QCT is not QBC scheme. 

Yao has proved [14] that secure quantum oblivious is possible if 
secure quantum bit commitment is found. On the other hand Kil- 
lian [15] has proved that secure oblivious scheme can be the basis of 
secure one-sided two-party computation. Applying classical reduc- 
tion theory it has been argued that secure quantum computation 
scheme can be derived from the secure quantum bit commitment 
scheme. Now we have got secure quantum bit commitment scheme, 
can we hope for such secure quantum computation scheme ? The 
problem is, Lo has already proved [16] that secure one-sided two- 
party quantum computation is impossible. We are in a fix. Either 
Lo's proof is not a generalized result or the chain of logic is partly 
or totally incorrect. At least both cannot be right. This puzzle 
deserves further investigation. 

There is another misleading analysis on conventional quantum 
cryptographic model. For a particular eavesdropping attack, it is 
stated that optimal information gain of the eavesdropper versus 
introduced error by him/her is bounded by the laws of quantum 
mechanics. This is true if there is only one eavesdropper. If we 
consider many eavesdroppers then optimal gain of information of 
any eavesdropper will depend on the co-operation of other eaves- 
droppers which quantum mechanics cannot dictate. Considering 
the many eavesdropping issue one can even lead to the conclusion: 
two eavesdroppers are more acceptable than one eavesdropper if 
one has to accept eavesdropping and can tolerate error. But this 
discussion is beyond the scope of this paper. One may wonder: why 
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so much shortcomings ? Perhaps topics demands so. 

In conclusion, as QBC issue tells us how to distribute cheating- 
free information at different time, it might have different applica- 
tions in public and private life. And this is possible to implement 
within the present technology because, without storing the quan- 
tum states the results of measurements can be stored and revealed 
later instead of storing quantum states and sending them later to 
execute QBC. 

I thank C. H. Bennett for one of his comment on alternative 
QKD protocol that activated this work. 
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Table 1. Joint probabilities when DA at (0° : 0°) 
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